fix(authentication-service): add all variables for azure oauth strate…

…gy (#990) * fix(authentication-service): add all variables for azure oauth strategy gh-00 * fix(authentication-service): add all the variables for strategy gh-00 * fix(authentication-service): sonar gh-00
sourcefuse · Aug 24, 2022 · 920c6b6 · 920c6b6
1 parent 149edf7
commit 920c6b6
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 24 deletions.
diff --git a/services/authentication-service/.env.defaults b/services/authentication-service/.env.defaults
@@ -30,18 +30,24 @@ FORGOT_PASSWORD_LINK_EXPIRY=30
 REQUEST_SIGNUP_LINK_EXPIRY=30
 
 # AZURE AD
-# for false let it be blank
-
-AZURE_AUTH_ENABLED=true
+#boolean values will be 0 or 1
 
+AZURE_AUTH_ENABLED=0
 AZURE_IDENTITY_METADATA=https://login.microsoftonline.com/common/.well-known/openid-configuration
 AZURE_AUTH_CLIENT_ID=a
 AZURE_AUTH_REDIRECT_URL=url
 AZURE_AUTH_CLIENT_SECRET=client_secret
-AZURE_AUTH_ALLOW_HTTP_REDIRECT=true
-AZURE_AUTH_COOKIE_INSTEAD_SESSION=true
-AZURE_AUTH_PASS_REQ_CALLBACK=
-AZURE_AUTH_VALIDATE_ISSUER=
+AZURE_AUTH_ALLOW_HTTP_REDIRECT=1
+AZURE_AUTH_COOKIE_INSTEAD_SESSION=1
+AZURE_AUTH_PASS_REQ_CALLBACK=0
+AZURE_AUTH_VALIDATE_ISSUER=0
+AZURE_AUTH_B2C_TENANT=0
+AZURE_AUTH_CLOCK_SKEW=300
+AZURE_AUTH_LOG_LEVEL=
+AZURE_AUTH_LOG_PII=1
+AZURE_AUTH_NONCE_TIME=3600
+AZURE_AUTH_NONCE_COUNT=10
+AZURE_AUTH_ISSUER=
 
 # key is 32 bit
 

diff --git a/services/authentication-service/.env.example b/services/authentication-service/.env.example
@@ -42,7 +42,7 @@ KEYCLOAK_CLIENT_SECRET=
 KEYCLOAK_CALLBACK_URL=
 
 # AZURE AD
-# for false let it be blank
+#boolean values will be 0 or 1
 
 AZURE_AUTH_ENABLED=
 AZURE_IDENTITY_METADATA=
@@ -53,6 +53,13 @@ AZURE_AUTH_ALLOW_HTTP_REDIRECT=
 AZURE_AUTH_COOKIE_INSTEAD_SESSION=
 AZURE_AUTH_PASS_REQ_CALLBACK=
 AZURE_AUTH_VALIDATE_ISSUER=
+AZURE_AUTH_B2C_TENANT=
+AZURE_AUTH_CLOCK_SKEW=
+AZURE_AUTH_LOG_LEVEL=
+AZURE_AUTH_LOG_PII=
+AZURE_AUTH_NONCE_TIME=
+AZURE_AUTH_NONCE_COUNT=
+AZURE_AUTH_ISSUER=
 
 # key is 32 bit
 

diff --git a/services/authentication-service/src/component.ts b/services/authentication-service/src/component.ts
@@ -102,7 +102,7 @@ export class AuthenticationServiceComponent implements Component {
     // Mount core component
     this.application.component(CoreComponent);
 
-    if (!!process.env.AZURE_AUTH_ENABLED) {
+    if (!!+(process.env.AZURE_AUTH_ENABLED ?? 0)) {
       const expressMiddlewares =
         this.application.getSync(SFCoreBindings.EXPRESS_MIDDLEWARES) ?? [];
       expressMiddlewares.push(cookieParser());

diff --git a/services/authentication-service/src/modules/auth/azure-login.controller.ts b/services/authentication-service/src/modules/auth/azure-login.controller.ts
@@ -41,6 +41,9 @@ const queryGen = (from: 'body' | 'query') => {
   };
 };
 const offSet = 10;
+const clockSkew = 300;
+const nonceTime = 3600;
+const nonceCount = 10;
 export class AzureLoginController {
   constructor(
     @repository(AuthClientRepository)
@@ -61,17 +64,28 @@ export class AzureLoginController {
       responseMode: 'query',
       redirectUrl: process.env.AZURE_AUTH_REDIRECT_URL,
       clientSecret: process.env.AZURE_AUTH_CLIENT_SECRET,
-      allowHttpForRedirectUrl: !!process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT,
-      passReqToCallback: !!process.env.AZURE_AUTH_PASS_REQ_CALLBACK,
-      validateIssuer: !!process.env.AZURE_AUTH_VALIDATE_ISSUER,
-      useCookieInsteadOfSession:
-        !!process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION,
+      allowHttpForRedirectUrl: !!+(
+        process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT ?? 1
+      ),
+      passReqToCallback: !!+(process.env.AZURE_AUTH_PASS_REQ_CALLBACK ?? 0),
+      validateIssuer: !!+(process.env.AZURE_AUTH_VALIDATE_ISSUER ?? 1),
+      useCookieInsteadOfSession: !!+(
+        process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION ?? 1
+      ),
       cookieEncryptionKeys: [
         {
           key: process.env.AZURE_AUTH_COOKIE_KEY,
           iv: process.env.AZURE_AUTH_COOKIE_IV,
         },
       ],
+      isB2c: !!+(process.env.AZURE_AUTH_B2C_TENANT ?? 0),
+      clockSkew: +(process.env.AZURE_AUTH_CLOCK_SKEW ?? clockSkew),
+      loggingLevel: process.env.AZURE_AUTH_LOG_LEVEL,
+      loggingNoPII: !!+(process.env.AZURE_AUTH_LOG_PII ?? 1),
+      nonceLifetime: +(process.env.AZURE_AUTH_NONCE_TIME ?? nonceTime),
+      nonceMaxAmount: +(process.env.AZURE_AUTH_NONCE_COUNT ?? nonceCount),
+      issuer: process.env.AZURE_AUTH_ISSUER,
+      cookieSameSite: !!+(process.env.AZURE_AUTH_COOKIE_SAME_SITE ?? 0),
     },
     queryGen('query'),
   )
@@ -110,17 +124,28 @@ export class AzureLoginController {
       responseMode: 'query',
       redirectUrl: process.env.AZURE_AUTH_REDIRECT_URL,
       clientSecret: process.env.AZURE_AUTH_CLIENT_SECRET,
-      allowHttpForRedirectUrl: !!process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT,
-      passReqToCallback: !!process.env.AZURE_AUTH_PASS_REQ_CALLBACK,
-      validateIssuer: !!process.env.AZURE_AUTH_VALIDATE_ISSUER,
-      useCookieInsteadOfSession:
-        !!process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION,
+      allowHttpForRedirectUrl: !!+(
+        process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT ?? 1
+      ),
+      passReqToCallback: !!+(process.env.AZURE_AUTH_PASS_REQ_CALLBACK ?? 0),
+      validateIssuer: !!+(process.env.AZURE_AUTH_VALIDATE_ISSUER ?? 1),
+      useCookieInsteadOfSession: !!+(
+        process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION ?? 1
+      ),
       cookieEncryptionKeys: [
         {
           key: process.env.AZURE_AUTH_COOKIE_KEY,
           iv: process.env.AZURE_AUTH_COOKIE_IV,
         },
       ],
+      isB2c: !!+(process.env.AZURE_AUTH_B2C_TENANT ?? 0),
+      clockSkew: +(process.env.AZURE_AUTH_CLOCK_SKEW ?? clockSkew),
+      loggingLevel: process.env.AZURE_AUTH_LOG_LEVEL,
+      loggingNoPII: !!+(process.env.AZURE_AUTH_LOG_PII ?? 1),
+      nonceLifetime: +(process.env.AZURE_AUTH_NONCE_TIME ?? nonceTime),
+      nonceMaxAmount: +(process.env.AZURE_AUTH_NONCE_COUNT ?? nonceCount),
+      issuer: process.env.AZURE_AUTH_ISSUER,
+      cookieSameSite: !!+(process.env.AZURE_AUTH_COOKIE_SAME_SITE ?? 0),
     },
     queryGen('body'),
   )
@@ -161,17 +186,28 @@ export class AzureLoginController {
       responseMode: 'query',
       redirectUrl: process.env.AZURE_AUTH_REDIRECT_URL,
       clientSecret: process.env.AZURE_AUTH_CLIENT_SECRET,
-      allowHttpForRedirectUrl: !!process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT,
-      passReqToCallback: !!process.env.AZURE_AUTH_PASS_REQ_CALLBACK,
-      validateIssuer: !!process.env.AZURE_AUTH_VALIDATE_ISSUER,
-      useCookieInsteadOfSession:
-        !!process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION,
+      allowHttpForRedirectUrl: !!+(
+        process.env.AZURE_AUTH_ALLOW_HTTP_REDIRECT ?? 1
+      ),
+      passReqToCallback: !!+(process.env.AZURE_AUTH_PASS_REQ_CALLBACK ?? 0),
+      validateIssuer: !!+(process.env.AZURE_AUTH_VALIDATE_ISSUER ?? 1),
+      useCookieInsteadOfSession: !!+(
+        process.env.AZURE_AUTH_COOKIE_INSTEAD_SESSION ?? 1
+      ),
       cookieEncryptionKeys: [
         {
           key: process.env.AZURE_AUTH_COOKIE_KEY,
           iv: process.env.AZURE_AUTH_COOKIE_IV,
         },
       ],
+      isB2c: !!+(process.env.AZURE_AUTH_B2C_TENANT ?? 0),
+      clockSkew: +(process.env.AZURE_AUTH_CLOCK_SKEW ?? clockSkew),
+      loggingLevel: process.env.AZURE_AUTH_LOG_LEVEL,
+      loggingNoPII: !!+(process.env.AZURE_AUTH_LOG_PII ?? 1),
+      nonceLifetime: +(process.env.AZURE_AUTH_NONCE_TIME ?? nonceTime),
+      nonceMaxAmount: +(process.env.AZURE_AUTH_NONCE_COUNT ?? nonceCount),
+      issuer: process.env.AZURE_AUTH_ISSUER,
+      cookieSameSite: !!+(process.env.AZURE_AUTH_COOKIE_SAME_SITE ?? 0),
     },
     queryGen('query'),
   )